Security fix for centericq via Debian

	http://secunia.com/advisories/16240/

8 files changed, 393 insertions, 3 deletions

diff --git a/chat/centericq/Makefile b/chat/centericq/Makefile
index b2ea1c3eb62..28bf6e694dd 100644
--- a/chat/centericq/Makefile
+++ b/chat/centericq/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.52 2005/07/16 18:55:22 adrianp Exp $
+# $NetBSD: Makefile,v 1.53 2005/09/19 19:42:11 adrianp Exp $
 #
 
 DISTNAME=	centericq-4.20.0
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	chat
 MASTER_SITES=	http://konst.org.ua/download/ \
 		http://centericq.de/archive/source/releases/
diff --git a/chat/centericq/distinfo b/chat/centericq/distinfo
index 1fbb00a2bd1..43f706b836e 100644
--- a/chat/centericq/distinfo
+++ b/chat/centericq/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.17 2005/09/06 08:10:57 abs Exp $
+$NetBSD: distinfo,v 1.18 2005/09/19 19:42:11 adrianp Exp $
 
 SHA1 (centericq-4.20.0.tar.bz2) = 14b37c5257039853f0a1b948c7eaa49581a5913c
 RMD160 (centericq-4.20.0.tar.bz2) = 7f17cd87aa4b98269fa65173b3e6317143c7c8ca
@@ -8,3 +8,9 @@ SHA1 (patch-ab) = 6d9beb28024666bbfef2e95cab648d7058f8136c
 SHA1 (patch-ac) = 74ae25e19bf5d250a407a937bf78405b38cc86da
 SHA1 (patch-ad) = be8ba5c952bf560b0758c97ba81c4faef04ffe49
 SHA1 (patch-ae) = 01b4bf2e26c9974b189ffe5d0361651aabaef549
+SHA1 (patch-af) = 5104572b93c4bc1872340ac4d179d74f74958fe8
+SHA1 (patch-ag) = c63b3e1011205f7635ca1710a6e5b39f7ef8986c
+SHA1 (patch-ah) = 2e643c6cfd5812f5f35a08e29cfa858902e1760b
+SHA1 (patch-ai) = 2ac32940347733dbb63e12bdd54212435795b30d
+SHA1 (patch-aj) = 1e4ea16dfc5c8eeae9b70b4bda01a2b367ea2879
+SHA1 (patch-ak) = 155067c43db79d398465bac2d70878e8b714fa8b
diff --git a/chat/centericq/patches/patch-af b/chat/centericq/patches/patch-af
new file mode 100644
index 00000000000..4ffe4344711
--- /dev/null
+++ b/chat/centericq/patches/patch-af
@@ -0,0 +1,80 @@
+$NetBSD: patch-af,v 1.1 2005/09/19 19:42:11 adrianp Exp $
+
+--- libgadu-0.1/common.c.orig	2004-07-31 11:47:20.000000000 +0100
++++ libgadu-0.1/common.c
+@@ -284,6 +284,8 @@ char *gg_read_line(int sock, char *buf, 
+ {
+ 	int ret;
+ 
++	if (!buf || length < 0)
++		return NULL;
+ 	for (; length > 1; buf++, length--) {
+ 		do {
+ 			if ((ret = read(sock, buf, 1)) == -1 && errno != EINTR) {
+@@ -340,7 +342,7 @@ char *gg_urlencode(const char *str)
+ {
+ 	char *q, *buf, hex[] = "0123456789abcdef";
+ 	const char *p;
+-	int size = 0;
++	unsigned int size = 0;
+ 
+ 	if (!str && !(str = strdup("")))
+ 		return NULL;
+@@ -392,18 +394,18 @@ int gg_http_hash(const char *format, ...
+ 	va_start(ap, format);
+ 
+ 	for (j = 0; j < strlen(format); j++) {
+-		unsigned char *arg, buf[16];
++		char *arg, buf[16];
+ 
+ 		if (format[j] == 'u') {
+ 			snprintf(buf, sizeof(buf), "%d", va_arg(ap, uin_t));
+ 			arg = buf;
+ 		} else {
+-			if (!(arg = va_arg(ap, unsigned char*)))
++			if (!(arg = va_arg(ap, char*)))
+ 				arg = "";
+ 		}       
+ 
+ 		i = 0;
+-		while ((c = (int) arg[i++]) != 0) {
++		while ((c = (unsigned char) arg[i++]) != 0) {
+ 			a = (c ^ b) + (c << 8);
+ 			b = (a >> 24) | (a << 8);
+ 		}
+@@ -532,7 +534,7 @@ static char gg_base64_charset[] =
+ char *gg_base64_encode(const char *buf)
+ {
+ 	char *out, *res;
+-	int i = 0, j = 0, k = 0, len = strlen(buf);
++	unsigned int i = 0, j = 0, k = 0, len = strlen(buf);
+ 	
+ 	res = out = malloc((len / 3 + 1) * 4 + 2);
+ 
+@@ -590,7 +592,7 @@ char *gg_base64_decode(const char *buf)
+ {
+ 	char *res, *save, *foo, val;
+ 	const char *end;
+-	int index = 0;
++	unsigned int index = 0;
+ 
+ 	if (!buf)
+ 		return NULL;
+@@ -684,7 +686,7 @@ static int gg_crc32_initialized = 0;
+ static void gg_crc32_make_table()
+ {
+ 	uint32_t h = 0;
+-	int i, j;
++	unsigned int i, j;
+ 
+ 	memset(gg_crc32_table, 0, sizeof(gg_crc32_table));
+ 
+@@ -713,6 +715,8 @@ uint32_t gg_crc32(uint32_t crc, const un
+ {
+ 	if (!gg_crc32_initialized)
+ 		gg_crc32_make_table();
++	if (!buf || len < 0)
++		return crc;
+ 
+ 	crc ^= 0xffffffffL;
+ 
diff --git a/chat/centericq/patches/patch-ag b/chat/centericq/patches/patch-ag
new file mode 100644
index 00000000000..bb389286c9d
--- /dev/null
+++ b/chat/centericq/patches/patch-ag
@@ -0,0 +1,16 @@
+$NetBSD: patch-ag,v 1.1 2005/09/19 19:42:11 adrianp Exp $
+
+--- libgadu-0.1/dcc.c.orig	2004-01-26 23:49:33.000000000 +0000
++++ libgadu-0.1/dcc.c
+@@ -51,9 +51,9 @@
+  *  - buf - bufor z danymi
+  *  - size - rozmiar danych
+  */
+-static void gg_dcc_debug_data(const char *prefix, int fd, const void *buf, int size)
++static void gg_dcc_debug_data(const char *prefix, int fd, const void *buf, unsigned int size)
+ {
+-	int i;
++	unsigned int i;
+ 	
+ 	gg_debug(GG_DEBUG_MISC, "++ gg_dcc %s (fd=%d,len=%d)", prefix, fd, size);
+ 	
diff --git a/chat/centericq/patches/patch-ah b/chat/centericq/patches/patch-ah
new file mode 100644
index 00000000000..c221113feb3
--- /dev/null
+++ b/chat/centericq/patches/patch-ah
@@ -0,0 +1,161 @@
+$NetBSD: patch-ah,v 1.1 2005/09/19 19:42:11 adrianp Exp $
+
+--- libgadu-0.1/events.c.orig	2004-06-10 20:20:08.000000000 +0100
++++ libgadu-0.1/events.c
+@@ -27,6 +27,7 @@
+ #include <arpa/inet.h>
+ 
+ #include "libgadu-config.h"
++#include "libgadu.h"
+ 
+ #include <errno.h>
+ #ifdef __GG_LIBGADU_HAVE_PTHREAD
+@@ -153,7 +154,7 @@ int gg_image_queue_remove(struct gg_sess
+  *  - e - opis zdarzenia
+  *  - 
+  */
+-static void gg_image_queue_parse(struct gg_event *e, char *p, int len, struct gg_session *sess, uin_t sender)
++static void gg_image_queue_parse(struct gg_event *e, char *p, unsigned int len, struct gg_session *sess, uin_t sender)
+ {
+ 	struct gg_msg_image_reply *i = (void*) p;
+ 	struct gg_image_queue *q, *qq;
+@@ -285,7 +286,7 @@ static int gg_handle_recv_msg(struct gg_
+ 
+ 				count = gg_fix32(m->count);
+ 
+-				if (p + count * sizeof(uin_t) > packet_end) {
++				if (p + count * sizeof(uin_t) > packet_end || p + count * sizeof(uin_t) < p || count > 0xffff) {
+ 					gg_debug(GG_DEBUG_MISC, "// gg_handle_recv_msg() packet out of bounds (1.5)\n");
+ 					goto malformed;
+ 				}
+@@ -296,8 +297,11 @@ static int gg_handle_recv_msg(struct gg_
+ 					goto fail;
+ 				}
+ 			
+-				for (i = 0; i < count; i++, p += sizeof(uin_t))
+-					e->event.msg.recipients[i] = gg_fix32(*((uint32_t*) p));
++				for (i = 0; i < count; i++, p += sizeof(uint32_t)) {
++					uint32_t u;
++					memcpy(&u, p, sizeof(uint32_t));
++					e->event.msg.recipients[i] = gg_fix32(u);
++				}
+ 				
+ 				e->event.msg.recipients_count = count;
+ 				
+@@ -306,15 +310,15 @@ static int gg_handle_recv_msg(struct gg_
+ 
+ 			case 0x02:              /* richtext */
+ 			{
+-				unsigned short len;
++				uint16_t len;
+ 				char *buf;
+ 			
+ 				if (p + 3 > packet_end) {
+ 					gg_debug(GG_DEBUG_MISC, "// gg_handle_recv_msg() packet out of bounds (2)\n");
+ 					goto malformed;
+ 				}
+-
+-				len = gg_fix16(*((unsigned short*) (p + 1)));
++				memcpy(&len, p + 1, sizeof(uint16_t));
++				len = gg_fix16(len);
+ 
+ 				if (!(buf = malloc(len))) {
+ 					gg_debug(GG_DEBUG_MISC, "// gg_handle_recv_msg() not enough memory for richtext data\n");
+@@ -361,12 +365,22 @@ static int gg_handle_recv_msg(struct gg_
+ 			case 0x05:              /* image_reply */
+ 			case 0x06:
+ 			{
+-				if (p + sizeof(struct gg_msg_image_reply) + 1 > packet_end) {
++				struct gg_msg_image_reply *rep = (void*)p;
++
++				if (p + sizeof(struct gg_msg_image_reply) == packet_end) {
++					e->type = GG_EVENT_IMAGE_REPLY;
++					e->event.image_reply.sender = gg_fix32(r->sender);
++					e->event.image_reply.size = 0;
++					e->event.image_reply.crc32 = gg_fix32(rep->crc32);
++					e->event.image_reply.filename = NULL;
++					e->event.image_reply.image = NULL;
++				} else if (p + sizeof(struct gg_msg_image_reply) + 1 > packet_end) {
+ 					gg_debug(GG_DEBUG_MISC, "// gg_handle_recv_msg() packet out of bounds (4)\n");
+ 					goto malformed;
+ 				}
+-
+-				gg_image_queue_parse(e, p, (int)(packet_end - p), sess, gg_fix32(r->sender));
++				rep->size = gg_fix32(rep->size);
++				rep->crc32 = gg_fix32(rep->crc32);
++				gg_image_queue_parse(e, p, (unsigned int)(packet_end - p), sess, gg_fix32(r->sender));
+ 
+ 				return 0;
+ 			}
+@@ -443,7 +457,7 @@ static int gg_watch_fd_connected(struct 
+ 		case GG_NOTIFY_REPLY:
+ 		{
+ 			struct gg_notify_reply *n = (void*) p;
+-			int count, i;
++			unsigned int count, i;
+ 			char *tmp;
+ 
+ 			gg_debug(GG_DEBUG_MISC, "// gg_watch_fd_connected() received a notify reply\n");
+@@ -454,7 +468,7 @@ static int gg_watch_fd_connected(struct 
+ 				goto fail;
+ 			}
+ 
+-			if (gg_fix32(n->status) == GG_STATUS_BUSY_DESCR || gg_fix32(n->status == GG_STATUS_NOT_AVAIL_DESCR) || gg_fix32(n->status) == GG_STATUS_AVAIL_DESCR) {
++			if (gg_fix32(n->status) == GG_STATUS_BUSY_DESCR || gg_fix32(n->status) == GG_STATUS_NOT_AVAIL_DESCR || gg_fix32(n->status) == GG_STATUS_AVAIL_DESCR) {
+ 				e->type = GG_EVENT_NOTIFY_DESCR;
+ 				
+ 				if (!(e->event.notify_descr.notify = (void*) malloc(sizeof(*n) * 2))) {
+@@ -557,6 +571,8 @@ static int gg_watch_fd_connected(struct 
+ 				e->event.notify60[i].descr = NULL;
+ 				e->event.notify60[i].time = 0;
+ 
++				if (uin & 0x40000000)
++					e->event.notify60[i].version |= GG_HAS_AUDIO_MASK;
+ 				if (GG_S_D(n->status)) {
+ 					unsigned char descr_len = *((char*) n + sizeof(struct gg_notify_reply60));
+ 
+@@ -628,8 +644,11 @@ static int gg_watch_fd_connected(struct 
+ 
+ 				e->event.status60.descr = buf;
+ 
+-				if (len > 4 && p[h->length - 5] == 0)
+-					e->event.status60.time = *((int*) (p + h->length - 4));
++				if (len > 4 && p[h->length - 5] == 0) {
++					uint32_t t;
++					memcpy(&t, p + h->length - 4, sizeof(uint32_t));
++					e->event.status60.time = gg_fix32(t);
++				}
+ 			}
+ 
+ 			break;
+@@ -695,7 +714,7 @@ static int gg_watch_fd_connected(struct 
+ 
+ 			if (h->length > 1) {
+ 				char *tmp;
+-				int len = (sess->userlist_reply) ? strlen(sess->userlist_reply) : 0;
++				unsigned int len = (sess->userlist_reply) ? strlen(sess->userlist_reply) : 0;
+ 				
+ 				gg_debug(GG_DEBUG_MISC, "userlist_reply=%p, len=%d\n", sess->userlist_reply, len);
+ 				
+@@ -1336,7 +1355,11 @@ struct gg_event *gg_watch_fd(struct gg_s
+ 			free(sess->password);
+ 			sess->password = NULL;
+ 
+-			gg_debug(GG_DEBUG_MISC, "// gg_watch_fd() gg_dcc_ip = %s\n", inet_ntoa(*((struct in_addr*) &gg_dcc_ip)));
++			{
++				struct in_addr dcc_ip;
++				dcc_ip.s_addr = gg_dcc_ip;
++				gg_debug(GG_DEBUG_MISC, "// gg_watch_fd() gg_dcc_ip = %s\n", inet_ntoa(dcc_ip));
++			}
+ 			
+ 			if (gg_dcc_ip == (unsigned long) inet_addr("255.255.255.255")) {
+ 				struct sockaddr_in sin;
+@@ -1363,7 +1386,7 @@ struct gg_event *gg_watch_fd(struct gg_s
+ 			
+ 			if (sess->external_addr && sess->external_port > 1023) {
+ 				l.external_ip = sess->external_addr;
+-				l.external_port = sess->external_port;
++				l.external_port = gg_fix16(sess->external_port);
+ 			}
+ 
+ 			gg_debug(GG_DEBUG_TRAFFIC, "// gg_watch_fd() sending GG_LOGIN60 packet\n");
diff --git a/chat/centericq/patches/patch-ai b/chat/centericq/patches/patch-ai
new file mode 100644
index 00000000000..ac708434087
--- /dev/null
+++ b/chat/centericq/patches/patch-ai
@@ -0,0 +1,31 @@
+$NetBSD: patch-ai,v 1.1 2005/09/19 19:42:11 adrianp Exp $
+
+--- libgadu-0.1/http.c.orig	2005-01-23 13:22:37.000000000 +0000
++++ libgadu-0.1/http.c
+@@ -264,7 +264,7 @@ int gg_http_watch_fd(struct gg_http *h)
+ 	}
+ 
+ 	if (h->state == GG_STATE_SENDING_QUERY) {
+-		unsigned int res;
++		int res;
+ 
+ 		if ((res = write(h->fd, h->query, strlen(h->query))) < 1) {
+ 			gg_debug(GG_DEBUG_MISC, "=> http, write() failed (len=%d, res=%d, errno=%d)\n", strlen(h->query), res, errno);
+@@ -293,7 +293,7 @@ int gg_http_watch_fd(struct gg_http *h)
+ 
+ 	if (h->state == GG_STATE_READING_HEADER) {
+ 		char buf[1024], *tmp;
+-		unsigned int res;
++		int res;
+ 
+ 		if ((res = read(h->fd, buf, sizeof(buf))) == -1) {
+ 			gg_debug(GG_DEBUG_MISC, "=> http, reading header failed (errno=%d)\n", errno);
+@@ -401,7 +401,7 @@ int gg_http_watch_fd(struct gg_http *h)
+ 
+ 	if (h->state == GG_STATE_READING_DATA) {
+ 		char buf[1024];
+-		unsigned int res;
++		int res;
+ 
+ 		if ((res = read(h->fd, buf, sizeof(buf))) == -1) {
+ 			gg_debug(GG_DEBUG_MISC, "=> http, reading body failed (errno=%d)\n", errno);
diff --git a/chat/centericq/patches/patch-aj b/chat/centericq/patches/patch-aj
new file mode 100644
index 00000000000..fa9a1d38314
--- /dev/null
+++ b/chat/centericq/patches/patch-aj
@@ -0,0 +1,83 @@
+$NetBSD: patch-aj,v 1.1 2005/09/19 19:42:11 adrianp Exp $
+
+--- libgadu-0.1/libgadu.c.orig	2004-03-30 23:44:07.000000000 +0100
++++ libgadu-0.1/libgadu.c
+@@ -378,7 +378,7 @@ int gg_read(struct gg_session *sess, cha
+  */
+ int gg_write(struct gg_session *sess, const char *buf, int length)
+ {
+-	int res;
++	int res = 0;
+ 
+ #ifdef __GG_LIBGADU_HAVE_OPENSSL
+ 	if (sess->ssl) {
+@@ -415,7 +415,8 @@ void *gg_recv_packet(struct gg_session *
+ {
+ 	struct gg_header h;
+ 	char *buf = NULL;
+-	int ret = 0, offset, size = 0;
++	int ret = 0;
++	unsigned int offset, size = 0;
+ 
+ 	gg_debug(GG_DEBUG_FUNCTION, "** gg_recv_packet(%p);\n", sess);
+ 	
+@@ -477,7 +478,7 @@ void *gg_recv_packet(struct gg_session *
+ 		memcpy(&h, sess->recv_buf, sizeof(h));
+ 	
+ 	/* jakieś sensowne limity na rozmiar pakietu */
+-	if (h.length < 0 || h.length > 65535) {
++	if (h.length > 65535) {
+ 		gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() invalid packet length (%d)\n", h.length);
+ 		errno = ERANGE;
+ 		return NULL;
+@@ -503,11 +504,18 @@ void *gg_recv_packet(struct gg_session *
+ 	while (size > 0) {
+ 		ret = gg_read(sess, buf + sizeof(h) + offset, size);
+ 		gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() body recv(%d,%p,%d) = %d\n", sess->fd, buf + sizeof(h) + offset, size, ret);
++		if (!ret) {
++			gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() failed: connection broken\n");
++			errno = ECONNRESET;
++			return NULL;
++		}
+ 		if (ret > -1 && ret <= size) {
+ 			offset += ret;
+ 			size -= ret;
+ 		} else if (ret == -1) { 
++			int errno2 = errno;
+ 			gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() body recv() failed (errno=%d, %s)\n", errno, strerror(errno));
++			errno = errno2;
+ 			if (errno == EAGAIN) {
+ 				gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() %d bytes received, %d left\n", offset, size);
+ 				sess->recv_buf = buf;
+@@ -558,9 +566,9 @@ int gg_send_packet(struct gg_session *se
+ {
+ 	struct gg_header *h;
+ 	char *tmp;
+-	int tmp_length;
++	unsigned int tmp_length;
+ 	void *payload;
+-	int payload_length;
++	unsigned int payload_length;
+ 	va_list ap;
+ 	int res;
+ 
+@@ -584,7 +592,9 @@ int gg_send_packet(struct gg_session *se
+ 	while (payload) {
+ 		char *tmp2;
+ 
+-		payload_length = va_arg(ap, int);
++		if (payload_length < 0)
++			gg_debug(GG_DEBUG_MISC, "// gg_send_packet() invalid payload length (%d)\n", payload_length);
++		payload_length = va_arg(ap, unsigned int);
+ 
+ 		if (payload_length < 0)
+ 			gg_debug(GG_DEBUG_MISC, "// gg_send_packet() invalid payload length (%d)\n", payload_length);
+@@ -1150,7 +1160,7 @@ int gg_image_reply(struct gg_session *se
+ 	struct gg_send_msg s;
+ 	const char *tmp;
+ 	char buf[1910];
+-	int res;
++	int res = -1;
+ 
+ 	gg_debug(GG_DEBUG_FUNCTION, "** gg_image_reply(%p, %d, \"%s\", %p, %d);\n", sess, recipient, filename, image, size);
+ 
diff --git a/chat/centericq/patches/patch-ak b/chat/centericq/patches/patch-ak
new file mode 100644
index 00000000000..daef14e61e4
--- /dev/null
+++ b/chat/centericq/patches/patch-ak
@@ -0,0 +1,13 @@
+$NetBSD: patch-ak,v 1.1 2005/09/19 19:42:11 adrianp Exp $
+
+--- libgadu-0.1/libgadu.h.orig	2004-06-10 20:20:08.000000000 +0100
++++ libgadu-0.1/libgadu.h
+@@ -351,7 +351,7 @@ struct gg_login_params {
+ 	int tls;                        /* czy łączymy po TLS? */
+ 	int image_size;                 /* maksymalny rozmiar obrazka w KiB */
+ 
+-	char dummy[7 * sizeof(int)];    /* miejsce na kolejnych 8 zmiennych,
++	char dummy[6 * sizeof(int)];    /* miejsce na kolejnych 8 zmiennych,
+ 					 * żeby z dodaniem parametru nie 
+ 					 * zmieniał się rozmiar struktury */
+ };